HCI Today Privacy Policy

Data Controller

• Name: Companoid Institute of Technology (CIT)
• Business Registration No.: 457-86-01970
• Contact: hci.today@companoid.institute

1. Categories, Purposes, and Retention Periods of Personal Information Processed

The Company processes the following personal information:

1) Newsletter Subscription

• Purpose: Weekly HCI highlight delivery, subscriber identification, duplicate registration and misdelivery prevention, subscription/cancellation management, delivery history management
• Items: Name, email address
• Retention: Until unsubscription or withdrawal of consent

However, if retention is required under applicable laws, the information may be stored separately for the period prescribed by such laws.

2) Optional Marketing/Event Information

• Purpose: Providing marketing information including CIT programs, events, service updates, and promotions
• Items: Name, email address, marketing/event information consent status
• Retention: Until withdrawal of consent

3) Information Automatically Collected During Service Use

• Purpose: Service operation and security, error response, access statistics analysis, performance improvement, fraud prevention
• Items: IP address, access date/time, access logs, page path (URL), referrer, browser and version, OS and version, device type, country or city-level access information, usage records including pageviews/page transitions/clicks/form submissions, anonymous identifiers, performance metrics (Core Web Vitals, etc.), security logs
• Retention: 1 year from collection

However, the information may be retained longer within the limits permitted by law when necessary for security incident response or dispute resolution.

4) Content Removal Request Processing

• Purpose: Requester verification, rights relationship confirmation, response to request, deletion/restriction/modification measures, dispute resolution
• Items: Content URL for removal, original URL (optional), requester name, relationship to original work, email address, reason for request, and other information submitted during request processing
• Retention: 3 years after processing completion

However, the information may be retained until the end of any ongoing disputes.

5) Source Submission Request Processing

• Purpose: Review of proposed sources, response, service improvement, prevention of malicious/repeated requests
• Items: URL, description (optional), reason for request, requester name, email address
• Retention: 1 year after review completion

6) Inquiry and Rights Exercise Response

• Purpose: Inquiry handling, identity verification, processing of access/correction/deletion/suspension/consent withdrawal requests, dispute resolution
• Items: Name, email address, inquiry or request content, attachments, information submitted for identity or authority verification
• Retention: 3 years after processing completion

The Company does not, as a rule, collect unique identification information such as resident registration numbers or passport numbers, nor sensitive information such as health or biometric data. Users should take care not to include unnecessary personal information or excessive personal information of third parties in free-text fields.

2. Provision of Personal Information to Third Parties

The Company does not, in principle, provide personal information to external parties. However, exceptions are made in the following cases:

1. When the data subject has given separate prior consent
2. When required by special provisions of law or to comply with legal obligations
3. When there is a lawful request from an authorized agency such as an investigative authority, court, or regulatory body

3. Entrustment of Personal Information Processing

The Company may entrust personal information processing to the following parties for smooth service provision:

1. Supabase Inc. — Entrusted task: Database storage and management
2. Plus Five Five, Inc. (Resend) — Entrusted task: Newsletter and email delivery
3. Vercel Inc. — Entrusted task: Website hosting, performance measurement, web traffic analysis
4. PostHog, Inc. — Entrusted task: Service usage analysis, behavioral data analysis for product improvement

The Company reflects necessary provisions in contracts to ensure safe processing of personal information in accordance with applicable laws when concluding entrustment contracts, and manages and supervises the entrusted parties. When the content of entrusted tasks or the entrusted parties change, the Company will disclose such changes promptly through this Privacy Policy.

4. Cross-Border Transfer of Personal Information

The Company may transfer personal information to overseas entrusted parties (including processing entrustment and storage) as a result of using overseas cloud and SaaS services. The Company discloses the following in accordance with Article 28-8 of the Personal Information Protection Act:

1) Supabase Inc.

• Items transferred: Newsletter subscription information (name, email), marketing consent status, removal request information, source submission request information, inquiry response information, and other information stored by the Company on Supabase
• Country/Region: Japan
• Timing and method: When data subjects enter/submit relevant information or at necessary points during service operation, via encrypted network transmission
• Purpose of recipient: Cloud database storage and management
• Retention: For the period necessary to perform the task, or until a deletion request is received, or until the entrustment contract terminates
• Contact: privacy@supabase.com
• Basis: Processing entrustment/storage necessary for contract conclusion and performance with the data subject

2) Plus Five Five, Inc. (Resend)

• Items transferred: Name, email address, subscription status, marketing consent status, email delivery/receipt status information
• Country: United States
• Timing and method: When sending newsletters or emails, via encrypted network transmission
• Purpose of recipient: Newsletter, optional marketing/event information, and related email delivery
• Retention: Until unsubscription or withdrawal of consent, or until the entrustment contract terminates
• Contact: privacy@resend.com
• Basis: Processing entrustment/storage for providing email services requested or consented to by the data subject

3) Vercel Inc.

• Items transferred: Access logs, IP address, page path, referrer, browser/OS information, device type, country-level access information, performance metrics, security logs
• Country: United States
• Timing and method: When data subjects access or use the website, via encrypted network transmission
• Purpose of recipient: Website hosting, traffic analysis, performance measurement, security and stability
• Retention: For the period necessary for service operation, or until the entrustment contract terminates
• Contact: privacy@vercel.com
• Basis: Processing entrustment/storage necessary for contract conclusion and performance with the data subject

4) PostHog, Inc.

• Items transferred: Pageviews, page transitions, clicks, form submission status, browser and device information, anonymous identifiers, geolocation attributes, opt-out status information, event data necessary for service analysis
• Country/Region: United States
• Timing and method: When data subjects use the website, via encrypted network transmission
• Purpose of recipient: Service usage analysis, user experience improvement, feature improvement and operational optimization
• Retention: In principle, 1 year or until the entrustment contract terminates
• Contact: privacy@posthog.com
• Basis: Processing entrustment/storage necessary for contract conclusion and performance with the data subject

Note: Cookie/local storage usage and collection scope depend on actual service configuration.

Data subjects who do not wish their personal information to be transferred overseas may discontinue use of the relevant features, or request deletion, processing suspension, or consent withdrawal for information already provided. However, since some of the service infrastructure and email delivery is based on overseas services, refusing overseas transfer may limit all or part of the Service including website access, newsletter subscription, removal request submission, and source submission.

5. Personal Information Destruction Procedures and Methods

The Company shall promptly destroy personal information when it becomes unnecessary due to expiration of the retention period, achievement of processing purpose, or other reasons.

1. Destruction procedure: Unnecessary personal information is reviewed for destruction in accordance with applicable laws and internal standards, then destroyed.
2. Destruction methods:
   • Personal information in electronic file format is deleted using methods that prevent recovery or reproduction.
   • Personal information in paper document format is shredded or incinerated.

Personal information that must be separately preserved under applicable laws is stored securely, separated from other personal information.

6. Rights and Obligations of Data Subjects and Legal Representatives, and Methods of Exercise

Data subjects may exercise the following rights with respect to the Company at any time:

1. Request to access personal information
2. Request to correct or delete personal information
3. Request to suspend processing of personal information
4. Request to withdraw consent
5. Request to unsubscribe from the newsletter

Rights may be exercised by contacting hci.today@companoid.institute. Newsletter unsubscription is also available through the unsubscribe function in emails.

The Company may request information necessary to verify the identity of the data subject or the legitimacy of their representative. When exercising rights through a representative, the Company may require documentation proving lawful delegation or authority.

The Company may restrict the exercise of rights within the limits permitted by law, such as when there are special provisions in applicable laws or when exercising rights may infringe on the rights or interests of others.

7. Measures to Ensure the Security of Personal Information

The Company takes the following measures to ensure the security of personal information:

1. Transmission encryption: Personal information is transmitted through encrypted communication means such as TLS (SSL).
2. Access rights management: Access to personal information is limited to a minimum number of personnel, and access is managed only within the scope necessary for business purposes.
3. Account and secret information management: Administrator accounts, access tokens, API keys, and other secret information are separately managed and changed or disposed of as necessary.
4. Utilization of external service security: The Company utilizes the security features and access control systems of trusted cloud service providers such as Supabase and Vercel.
5. Log and anomaly monitoring: Logs generated during service operation are monitored to identify unauthorized access or misuse possibilities.

8. Installation, Operation, and Refusal of Cookies and Automatic Collection Devices

The Company may use web analytics and performance measurement tools for Service operation and improvement:

1. Vercel Web Analytics and Speed Insights: The Company may use Vercel Web Analytics and Speed Insights to understand web traffic and performance. These tools are designed to collect aggregate or anonymous performance and usage statistics.
2. PostHog: The Company may use PostHog for service improvement and may analyze usage events including pageviews, clicks, and form submission status. PostHog may use cookies or similar technologies such as local storage for anonymous identifiers or opt-out status storage depending on service configuration.
3. Refusal method: Users may restrict the use of cookies and similar technologies by changing their browser's cookie and site data settings or by deleting stored site data. Users may also contact the Company by email for guidance on restricting analytics collection.
4. Effect of refusal: Restricting the use of cookies or similar technologies may limit some statistical features, preference persistence, or Service convenience features.

9. Personal Information of Children Under 14

The Company's Service is not, in principle, intended for children under 14 years of age. The Company does not intentionally collect personal information from children under 14. If the Company becomes aware that personal information of a child under 14 has been collected, it will promptly delete such information or take necessary measures.

10. Chief Privacy Officer

The Company designates the following Chief Privacy Officer who is responsible for overseeing personal information processing:

• Name: Hyeonggeun Yun
• Department: HCI Today Operations Team
• Email: hci.today@companoid.institute

Data subjects may contact the above for all personal information protection-related inquiries, complaints, remedies, and rights exercise requests arising from Service use.

11. Remedies for Rights Infringement

Data subjects may apply for consultation or dispute resolution with the following agencies for remedies related to personal information infringement:

• Personal Information Dispute Mediation Committee: 1833-6972
• Personal Information Infringement Report Center: 118
• Supreme Prosecutors' Office: 1301
• National Police Agency: 182

12. Changes to the Privacy Policy

The Company may amend this Privacy Policy in response to changes in laws, Service content, or personal information processing methods. When this Policy is changed, the Company will post the changes within the Service.

For significant changes, advance notice will be given for a reasonable period before the effective date.

Supplementary Provisions

This Privacy Policy takes effect on April 2, 2026.